Device containing state workers' data stolen

COLUMBUS - A thief made away with a state government computer backup "storage device" containing the names and COLUMBUS numbers of more than 64,000 state employees, prompting Gov. Ted Strickland to issue an alert yesterday.

The theft from a 22-year-old college intern's car occurred overnight Sunday in the Columbus suburb of Hilliard and was reported Monday morning, but Mr. Strickland's administration said it took several days to determine the extent of the risk.

"What we're doing here is cautionary," Mr. Strickland said. "There is no evidence there has been a breach. We believe it would be rather difficult for whoever has the device to access information from it."

He said the thief would need "specialized information or technology" to do so.

The state is offering free identity-theft monitoring to all 64,467 employees of state and legislative offices, boards, and commissions for one year at a total cost to taxpayers estimated at $660,000.

Yesterday afternoon, officials said the data did not include personal addresses, phone numbers, or birth dates.

Late last night, the governor's office said that it believes the data may also include personal information of the dependents of employees who participate in the state's pharmacy benefit program.

The device was taken home by Office of Budget and Management intern Jared Ilovar, who was randomly selected as part of a routine protocol requiring backup data to be stored at a different location than the primary data backup.

The protocol called for the secondary backup data to be taken home to a residence, not for it to be left in a car.

The police report indicated two items were stolen from the car - a radar detector valued at $200 and the data device valued at $15. The administration refused to describe the device.

Mr. Strickland issued an executive order changing the protocol that he said dates back to 2002. In the future, the information will be stored at a separate work site in a fireproof box under lock and key, said J. Pari Sabety, state budget director.

The governor plans to ask Ohio's inspector general to investigate the situation leading up to the theft.

Although he said the decision to assign the device to an

intern was inappropriate, Mr. Strickland said, "I'm not looking for a scapegoat, certainly not an intern scapegoat."

The intern had been working at a site testing the new Ohio Administrative Knowledge System, the state's new centralized payroll system. Ms. Sabety said the device stored data from the work site only and was not the backup for the entire OAKS system.

Administration officials used the original data storage device to review more than 338,634 files before determining the extent of the potential threat. Mr. Strickland's office was not notified until Wednesday, and the Ohio Highway Patrol began to investigate Thursday.

"In a single week, the Strickland administration had to deal with an employee accused of perjury and theft in office, a report questioning the management ability of its lieutenant governor, and now a major security breach affecting every state worker's personal data," said Rep. Kevin DeWine (R., Fairborn), deputy chairman of the Ohio Republican Party.

"The taxpayers are now having to foot the bill for two investigations and identity theft protection for 64,000 Ohioans," Mr. DeWine said. "This is just downright irresponsible management of state government, and it raises some serious questions about the judgment of this administration."

Democrats were critical of Republican gubernatorial candidate Ken Blackwell during last year's campaign after it was revealed that his secretary of state's Web site included scans of loan documents containing some Social Security numbers.

Mr. Strickland said the two incidents are not comparable.

"We certainly didn't voluntarily make this information available ...," he said. "This obviously is an unfortunate set of circumstances, but I repeat, having this backup information removed and taken to a personal residence was in fact a part of the protocol that I believe was adopted in 2002. I have already changed that procedure."

Mr. Blackwell was sued last year when his office did not immediately cut off public access to the Web site records and instead, citing their importance to the business community, initiated a plan to gradually review the records and strike sensitive information.

State employees seeking more information about their options may call 1-888-644-6648 for a recording, or call live hot lines at 1-877-742-5622 or 1-800-267-4474. The hot lines will be manned between 10 a.m. and 4 p.m. over the weekend and from 8 a.m. to 5 p.m. on weekdays.

By 5 p.m. yesterday, more than 600 calls had been logged by two live hot lines. The number of call handlers was doubled to 18 to accommodate the volume.

Karen Ash of Maumee, who works for the Ohio Department of Health, characterized the situation as just the latest identity mishap to befall her family.

She said two of her credit cards have been stolen and that her husband learned his personal information may be at risk because of data theft involving the U.S. Department of Veterans Affairs. So far, no bills for unexplained shopping sprees have appeared in their mail.

"I guess it's not as disconcerting because it has become pretty commonplace," she said. "It's just one more thing in a long line of major administrative errors."

For Darlene Sweeney-Newbern, who works at Government Center as Toledo regional director of the Ohio Civil Rights Commission, the data theft was no cause for frenzy.

"I'm not going to lose any sleep over it," she said, adding that it seems like much of one's personal information can be accessed online these days by a committed data thief.

Robert Siciliano of Boston, chief executive officer of IDtheftsecurity.com, said state employees should not rely solely on state-supplied monitoring.

"I would recommend that they get a credit freeze as soon as possible if you have that option [in Ohio]," he said. "At the least, they should call the credit bureaus and get a 90-day flag on their credit right now and, every 90 days from this point on, re-establish that flag."

A bill to add Ohio to the list of states allowing consumers to demand that major reporting agencies freeze access to their credit until notified otherwise recently passed the House but is still in the Senate.

"This particular incident is just another one of the many reasons why, now more than ever, consumers need this type of protection," said Rep. Jimmy Stewart (R., Athens), one of the bill's sponsors.